One of the tools I talk about is IPCAD, the IP Cisco Accounting Daemon by Lev Walkin. I discuss IPCAD in the section on statistical data for network security monitoring (NSM) in my book and my talk. I like IPCAD because it presents data just like one sees with the Cisco show ip accounting command. I actually used IPCAD in an incident response scenario several years ago, before I learned of Carter Bullard's Argus.

The version available in the FreeBSD ports tree (net-mgmt/ipcad) requires more entries in the ipcad.conf file than what I present in my book and slides. Here is the ipcad.conf file I created after I installed IPCAD using the FreeBSD port.

Once IPCAD was running, I could query it as shown next. I ignore the "Connection refused" error caused by running an IPv6-enabled TCP/IP stack but not offering the rsh server in an IPv6-enabled manner.

We have gotten closer to the realm of NSM session data here. While we have socket information (source IP, source port, destination IP, destionation port), we do not have timestamps. I prefer to leave the port information out of the equation and just keep the IP and byte counts.

There is one final aspect of IPCAD that deserves mention. In my book I mention Fprobe and ng_netflow as software-based NetFlow collectors. It turns out that IPCAD has the same functionality. IPCAD can act as a probe and send NetFlow records to a collector like Flow-capture in the Flow-tools collection.

Notice how IPCAD reports 21 cached NetFlows. This caused a problem, since apparently IPCAD had not flushed any flows to disk yet. I got the following error when trying to read the flows using Flow-cat and Flow-print: